Cacti (home)ForumsDocumentation

My First Graph

Now let's create the very first graph. I won't stick to the host cacti is running on, because this is a very special one. So I'm assuming you're running at least one other device. As cacti's roots are network monitoring with SNMP, I will use some SNMP capable device. In this case, I choose the router of my home network. But you may of course choose any device that is SNMP enabled.

Creating a New Device

But let's start from the very beginning. The first step to creating graphs for your network is adding a device for each network device that you want to create graphs for. A device specifies important details such as the network hostname, SNMP parameters, and host type. Assuming you've just logged in, you'll see a page like this:

Start page

You may either click on the Devices menu item. Clicking Add will bring up a new device form like:

New Device

The first two fields, Description and Hostname are the only two fields that require your input beyond the defaults. If your host type is defined under the host template dropdown, be sure to select it here. In this case “ucd/net SNMP Host” is used. It is important to remember that the host template you choose will not lock you into any particular configuration, it will just provide more intelligent defaults for that type of host.

The field definitions are as follows Table 7-1. Device Field Definitions

DescriptionThis description will show up in the first column of the device list. You may refer to it e.g. in graph titles
HostnameEither an IP address or a hostname. The hostname will be resolved using the standard host resolving mechanisms, e.g. Domain Name System (DNS)
Host TemplateA Host Template is a container for a list of graph templates that will be related to this host.
NotesNew with cacti 0.8.7. Add notes to a host to add arbitrary text.
Disable HostExclude this host from being polled. This is of particular value, if a device is no longer available, but should be kept e.g. as a reference.
Availability/Reachability Options
Downed Device Detection
  • NONE: Deactivate downed host detection
  • PING and SNMP: perform both tests
  • PING or SNMP: will proceed if either check works
  • SNMP: verify SNMP check on OID .1 and .1.3
  • ICMP: perform a ping test, see below
Ping MethodAvailable only, when Downed Device Detection is set ti either “PING and SNMP” or “PING”
  • ICMP: perform ICMP tests. Requires permissions
  • UDP: perform a UDP test
  • TCP: perform a TCP test
Ping PortAvailable only for UDP/TCP PING test types.
Please define the port to be tested here. Make sure, that no firewall intercepts the tests
Ping Timeout ValueAfter this time, the test fails. Measured in units of milliseconds
Ping Retry CountThe number of times Cacti will attempt to ping a host before failing.
SNMP Options
SNMP Version
SNMP CommunitySNMP read community for this device.
SNMP PortEnter the UDP port number to use for SNMP (default is 161).
SNMP TimeoutThe maximum number of milliseconds Cacti will wait for an SNMP response (does not work with php-snmp support).
Maximum OID's Per Get RequestThis is a performance feature. Specifies the number of OID's that can be obtained in a single SNMP Get request.
Note: This feature only works when using Spine
Note: Some devices do not support values > 1.
Note: Cacti 087d deactivates snmpbulkwalk if set to 1
Security Options for SNMP V3
SNMP UsernameThe username of an SNMP V3 createUser statement or equivalent
SNMP PasswordThe authpassphrase of an SNMP V3 createUser statement or equivalent
SNMP Auth ProtocolThe authentication type of an SNMP V3 createUser statement or equivalent. Select either MD5 or SHA. This entry defaults to MD5.
SNMP Privacy PassphraseThe privacy passphrase of an SNMP V3 createUser statement or equivalent.
SNMP Privacy ProtocolThe privacy protocol of an SNMP V3 createUser statement or equivalent. Select either DES or AES. This entry defaults to DES.
SNMP ContextWhen using the View-Based Access Control Model (VACM), it is possible to specify an SNMP Context when mapping a community name to a security name with a com2sec directive, with the group directive and the access directive. This allows for defining special access models. If using such a parameter with your target's SNMP configuration, specify the context name to be used to access that target here.

After saving your new device, you should be redirected back to the same edit form with some additional information. If you configured SNMP for this host by providing a valid community string, you should see various statistics listed at the top of the page. If you see “SNMP error” instead, this indicates an SNMP problem between Cacti and your device.

Towards the bottom of the page there will be two addition boxes, Associated Data Queries, and Associated Graph Templates. If you selected a host template on the previous page, there will probably be a few items in each box. If there is nothing listed in either box, you will need to associate at least one data query or graph template with your new device or you will not be able to create graphs in the next step. If no available graph template or data query applies to your device, you can check the Cacti templates repository or create your own if nothing currently exists.

A Word About SNMP

The SNMP version that you choose can have a great effect on how SNMP works for you in Cacti. Version 1 should be used for everything unless you have reason to choose otherwise. If you plan on utilizing (and your device supports) high-speed (64-bit) counters, you must select version 2. Starting with Cacti 0.8.7, version 3 is fully implemented.

The way in which Cacti retrieves SNMP information from a host has an effect on which SNMP-related options are supported. Currently there are three types of SNMP retrieval methods in Cacti and are outlined below.

Table 7-2. SNMP Retrieval Types

TypeDescriptionSupported OptionsPlaces Used
External SNMPCalls the net-snmp snmpwalk and snmpget binaries that are installed on your system.All SNMP optionsWeb interface and PHP poller (poller.php)
Internal SNMP (php-snmp)Uses PHP's SNMP functions which are linked against net-snmp or ucd-snmp at compile time.Version 1 Only (Community and Port)Web interface and PHP poller (poller.php)
Spine SNMPLinks directly against net-snmp or ucd-snmp and calls the API directly.All SNMP optionsC-Based Poller (Spine)

SNMP V3 Options Explained

SNMP supports authentication and encryption features when using SNMP protocol version 3 known as View-Based Access Control Model (VACM). This requires, that the target device in question supports and is configured for SNMP V3 use. In general, configuration of V3 options is target type dependant. The following is cited from man snmpd.conf concerning user definitions

 SNMPv3 Users    createUser [-e ENGINEID] username (MD5|SHA) authpassphrase [DES|AES] [privpassphrase]

              MD5 and SHA are the authentication types to use.  DES and AES are the privacy
              protocols  to  use. If  the  privacy  passphrase  is not specified, it is assumed
              to be the same as the authentication passphrase.  Note that the users created will
              be useless unless they are also added  to  the  VACM access control tables
              described above.

              SHA  authentication  and DES/AES privacy require OpenSSL to be installed and the
              agent to be built with OpenSSL support.  MD5 authentication may be used without

              Warning: the minimum pass phrase length is 8 characters.

VACM directives are explained from man snmpd.conf as follows

 VACM Configuration       The full flexibility of the VACM is available using four configuration directives -
       com2sec, group,  view and access.  These provide direct configuration of the underlying
       VACM tables.

              map  an  SNMPv1 or SNMPv2c community string to a security name - either from a
              particular range of source addresses, or globally ("default").  A restricted
              source can either be a specific  hostname (or  address),  or  a  subnet -
              represented as IP/MASK (e.g., or IP/BITS
              (e.g., or the IPv6 equivalents.

              The same community string can be specified in several separate directives
              (presumably with different  source  tokens), and the first source/community
              combination that matches the incoming request will be selected.  Various
              source/community combinations can also map to the same security name.

              If a CONTEXT is specified (using -Cn), the community string will be mapped
              to a security  name  in the named SNMPv3 context. Otherwise the default
              context ("") will be used.

       group GROUP {v1|v2c|usm} SECNAME
              maps  a  security name (in the specified security model) into a named group.
              Several group directives can specify the same group name, allowing a single
              access setting to apply to several  users and/or community strings.

              Note  that  groups must be set up for the two community-based models separately -
              a single com2sec (or equivalent) directive will typically be accompanied by two
              group directives.

       view VNAME TYPE OID [MASK]
              defines a named "view" - a subset of the overall OID tree. This is most commonly
              a single subtree, but  several view directives can be given with the same view
              name, to build up a more complex collection of OIDs.  TYPE is either included 
              or excluded, which can again define a more complex view (e.g by excluding certain
              sensitive objects from an otherwise accessible subtree). 

              MASK is a list of hex octets (separated by "." or ":")
              with the set bits indicating which subidentifiers in the view OID to match against.
              This can be used to define a view covering a particular row  (or  rows) in a table.
              If not specified, this defaults to matching the OID exactly (all bits set), thus
              defining a simple OID subtree.

       access GROUP CONTEXT {any|v1|v2c|usm} LEVEL PREFX READ WRITE NOTIFY  
              maps from a group of users/communities (with a particular security model
              and  minimum  security level, and in a specific context) to one of three views,
              depending on the request being processed.

              LEVEL is one of noauth, auth, or priv.  PREFX specifies how CONTEXT should be
              matched against  the context  of  the  incoming  request, either exact or prefix.
              READ, WRITE and NOTIFY specifies the view to be used for GET*, SET and
              TRAP/INFORM requests (althought the NOTIFY view is not currently used).  For
              v1 or v2c access, LEVEL will need to be noauth.

As an example, following definitions in the snmpd configuration create a set of definitions for use with SNMP V3

# sample configuration for SNMP V3
# create an SNMP V3 user with an authpassphrase and a privacy passphrase
##         username   authProto  authpassphrase  privProto  privpassphrase
##         --------   ---------  --------------  ---------  --------------
createUser gandalf    MD5        myauthpass      DES        myprivpass

# Second, map the security name into a group name:
##    groupName    securityModel  securityName
##    ---------    -------------  ------------
group groupv3      usm            gandalf

# Third, create a view for us to let the group have rights to:
##          incl/excl  subtree   mask
##          ---------  -------   ----
view    all included   .iso      80

# Fourth, create the access for that group without context
##                context sec.model sec.level prefix read   write  notif
##                ------- --------- --------- ------ ----   -----  -----
access groupv3    ""      any       auth      exact  all    all    all

When adding this stuff to your snmp configuration, please remember to restart the agent. Verify this setting using

shell> snmpwalk -v 3 -a MD5 -A myauthpass -x DES -X myprivpass -u gandalf -l authpriv localhost interface
IF-MIB::ifNumber.0 = INTEGER: 3
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.2 = INTEGER: 2
IF-MIB::ifIndex.3 = INTEGER: 3
IF-MIB::ifDescr.1 = STRING: lo
IF-MIB::ifDescr.2 = STRING: irda0
IF-MIB::ifDescr.3 = STRING: eth0
IF-MIB::ifType.1 = INTEGER: softwareLoopback(24)
IF-MIB::ifType.2 = INTEGER: other(1)
IF-MIB::ifType.3 = INTEGER: ethernetCsmacd(6)

Please notice the information already retrieved from this device. Of course, this output pertains to my special device. The text may vary for your equipment. In case you see:

Device with wrong SNMP Information

there is an error with the SNMP Community String that must be fixed prior to graph generation. When scrolling down, you should see some more information, that was provided by assigning this device to the given Host Template. I'm aiming at SNMP - Interface Statistics:

Device Added, Part 2

SNMP V3 Specialties

Comments taken from Does Cacti Support snmpV3 and AES192 or AES256?


In Windows, as of this writing, if you are using PHP's snmp support, you will not get snmpV3 support. This is due to the fact that the PHP development team is using a rather dated implementation of the snmp protocol on Windows.

The workaround for this is to simply use the net-snmp binaries instead of php-snmp. This is not a good solution since it slows things down though.

Linux/UNIX In this platform, PHP supports snmpV3, with the exception of SNMP Context's. Which are not supported. If you are using Contexts, if you upgrade to 0.8.7c++ of Cacti, we have incorporated a workaround to this problem so that you can continue to use php-snmp.

Spine There have been some complaints of late relative to snmpV3 support in Spine, and I can say that it works fine for DES and should have worked for AES (again) as of 0.8.7e with patches. This applies equally to Windows and Linux/UNIX.

Net-SNMP Net-SNMP Supports snmpV3, as you would expect it to, but not either AES192 or AES256. There is a nice post here Net-SNMP Article that explains why this is. Bottom line, use AES128.

Creating the Graphs

Now, back to the top of the page, select Create Graphs for this Host and find the following:

Graph Add

Check the box next to an interface you want to get data for. A good choice is a row, where a Hardware Address (aka: MAC Address) or the like is shown. From the dropdown, select a graph template of your liking. But remember, that 64 bit graphs are only supported with SNMP V2 (and some more conditions). Finally, Create to get:

Graph Added

You want to see your work immediately? So, here is the answer: You have to be patient. Assuming you did not forget to configure your cacti host's scheduler to run the poller every 5 minutes, you'll have to wait at least 10 minutes to see anything. Then, please move to Graph Management:

Graph Management

and select the newly generated graph. Please notice, that I've filtered for the device. This was for demonstration purpose only and to suppress all devices from the list I've already created.

Final Graph

The last steps are not the recommended way to handle this. Later on, I'll show how to use the Graph tab and all the magic within.

Personal Tools